[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ipsec freeswan - connection established successfully, but packets are dropped ...



Am Freitag, 17. Oktober 2003 08:28 schrieb Andreas Baetz:
> Ed,
>
> You could check the following:
> Is the routing between the subnets correct ?
> Do the packets arrive at the eth-Interface of your source GW ?
> Is forwarding switched on at the GW ?
>
> Andreas
(...)
>
A) I'm not quite sure if routing is correct, but ipsec works one-way (if 
it's initiated from one side, so i think routing shoud be ok.)
forwarding is switched on.
here's an extract from tcpdump -i ipsec0 (on the right-hand-Server)
----------------
14:09:34.824650 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:34.852147 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:34.852393 192.168.0.4 > 192.168.89.12: icmp: echo reply
14:09:35.824675 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:35.846827 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:35.847018 192.168.0.4 > 192.168.89.12: icmp: echo reply
14:09:36.824670 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:36.847427 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:36.847605 192.168.0.4 > 192.168.89.12: icmp: echo reply
14:09:37.824697 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:37.851494 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:37.851698 192.168.0.4 > 192.168.89.12: icmp: echo reply
-------------------
As you can see, i managed to have leftside hosts ping to the right side 
and get answers (ssh works, too).  But the other way round, packets are 
dropped. 217.229.160.84 is my current IP on the right side - is this 
right? Shouldn't the local IP of the pinging host stand here?

route says:
-----------------right server--------------
Server:/ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
a.b.c.d      *               255.255.255.255 UH    0      0        0 
ppp0
a.b.c.d      *               255.255.255.255 UH    0      0        0 
ipsec0
10.0.0.0        *               255.255.255.0   U     0      0        0 
eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 
eth1
192.168.89.0    *               255.255.255.0   U     0      0        0 
ipsec0
default         a.b.c.d      0.0.0.0         UG    0      0        0 
ppp0
Server:/ #
	(a.b.c.d is the p-t-p partner of my dsl conn)
------------------------------------------------
----------------left server--------------------
Server1:/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
e.f.g.h   0.0.0.0         255.255.255.240 U     0      0        0 eth1
e.f.g.h  0.0.0.0         255.255.255.240 U     0      0        0 ipsec0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 
ipsec0
192.168.89.0    0.0.0.0         255.255.255.0   U     0      0        0 
eth0
0.0.0.0         e.f.g.i   0.0.0.0         UG    0      0        0 eth1
Server1:/ #
with e.f.g.h the local (fixed) IP of the Subnet and e.f.g.i the IP of 
Server1.
----------------------------------------------------

and eroute says:
-------------right-side------------------
Server:/ # ipsec eroute
4          192.168.0.0/24:0   -> 192.168.89.0/24:0  => 
tun0x1002@xxxxxxx:0
Server:/ #
-------------left-side--------------------

Server1:/ # ipsec eroute
4          192.168.89.0/24:0  -> 192.168.0.0/24:0   => 
tun0x1004@xxxxxxxxxxxxxx:0
Server1:/ #
-------------------------------------------

Howerver, pings from a host in subnet 192.168.0.0 (=right) to the left 
are dropped on interface ipsec0. But not if the connection has been 
established from left-hand-side.
----------------------------dropped packets---------------

Server:/ # ifconfig ipsec0
ipsec0    Link encap:IPIP Tunnel  HWaddr
          inet addr:217.229.160.84  Mask:255.255.255.255
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:612 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:240 (240.0 b)  TX bytes:448 (448.0 b)
Server:/ #
--------------------------------------------------------------
As you can see, four pakets came from left-side and were answered, but 
the 612 pings from right to left were dropped.
Strange.
I'll take a deep look into my Firewall rules, but there should be no 
such rule preventing that.
Are there any kernel runtime parameters concerning this?
I have all rp_filter = 0, ip_forward=1 - and what do i need more?

Any help is welcome!
-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here